COD4 Field of View (fov) increase detected by PB

[Genocide]

Hi again another call of duty question but this time COD4.

In the multiplayer fov is capped at 80, now I have located the static memory address for the fov setting and can increase it to whatever I wish above 80, however when doing so punkbuster detects it and reports 'hacked cvar detected'.

I assume pb is scanning the same area of memory I have changed hence the detection, is there a way for me to change this setting without pb knowing? bypass it somehow?

[TeamRetox]

find references to that cvar in the exe and patch them

[Genocide]

Hi Retox thanks for the reply but how do I go about doing that? I'm new to this and using cheat engine to make a basic trainer is about all I have done so far.

[54321]

i assume uve got it working with punkbuster off

[Genocide]

Yes changing the fov is easy and punkbuster detecting just confirms I have changed it but I just want to circumvent pb detection and not sure how to go about what Retox suggested.

[Genocide]

I opened the exe with OllyDbg and found the text reference to the cvar command although unsure what to do now.

[Genocide]

Ok I been reading loads on code caves is this what I need? Re-route the value command i'm changing outside of the punkbuster scan range.

So far I know the float static address which controls the value of the fov and I have found the address which access/write to it when changing the fov via the console. I then attached the exe to ollydbg searched for the previous address which accessed the memory and set a breakpoint memory on access so when I change the value via the console again the debugger pauses. So is the the correction location to start my code cave? i'm not quite sure what to do from here....

[Genocide]

Ok another update lol

As I already said been playing around with olldbg etc but I just tried using MHS and think I found what i'm looking for this time, I have identified the hex entry that changes whenever I change the fov and confirmed this by changing the hex manually and the fov then changes in game. However the hex value needs to be twice the decimal value of the fov I want, so fov 90=B4 (180 in hex).

[TeamRetox]

w2g :) 90(decimal) is 0x5A in hex tho

[Genocide]

Thanks dude hopefully i'm on the right track its all new so learning as I go.

Yes 90 in hex is 5A but the value in hex which represents the field of view setting is double what you set if you can see what I mean. If fov is set to 80 hex value will be double so 160=A0, make any sense?

[TeamRetox]

wtf? why would they double the fov in memory, when half the calculations that use fov use either fov/2 or fov itself ;o infinity ward is a weird bunch of gays o__O

[Genocide]

I may be misunderstanding what's going on as i'm a little lost now and not sure what to do next.

Basically I have found a static base address (0CBAF114 float type) the value of which changes to whatever I set the fov as in the console (60, 70, 80 etc) and I can also change the value directly and it will change in game.
Then if I view the address in hex editor (using MHS) it takes me to 0CBAF110 and the hex value in the sixth column is 0CBAF114 value x2

I'm struggling with what to do next though, I have used the what read/writes to this address functions on a couple of apps got a result but not sure what to do with it. If I plan on using a code cave I understand I need to duplicate the code and modify it in a memory location where PB won't scan leaving the scanned area as it should be but still after reading several tutorials I'm not quite sure how to this part :(

[TeamRetox]

If you're gonna do it from C++, you can use virtualprotectex to set acces rights, then memcpy to copy the original code over to some place u want, then use offset-originalstartaddress+yourcustomstartaddress and modify it there, then change all the calls to the function that reads from fov to call your modified one instead of the original one

[Genocide]

If you're gonna do it from C++, you can use virtualprotectex to set acces rights, then memcpy to copy the original code over to some place u want, then use offset-originalstartaddress+yourcustomstartaddress and modify it there, then change all the calls to the function that reads from fov to call your modified one instead of the original one

Ah so is that basically a code cave then?

I'm not familiar with c++ but it is something I plan on looking into, today I have been reading tutorials and such on ASM to help me understand what i'm looking at in the disassembler.

[TeamRetox]

Unless you feel like manually copying over all bytes I'd say memcpy is the way to go :P

codecave example:

original code:
push eax
push 1 <- say we want this 0, but something prevents us from doing that(e.g. anticheat)
call blarg

modified code(this case added infront, can also overwrite others, aslong as you nop out the remains, so yuo're not stuck with half instructions):
jmp ourcodelocation
push eax
push 1
call blarg
justbehindblarg

ourcodelocation:
push eax
push 0
call blarg
jmp justbehindblarg




Or:
original code @ 0x0B4DF00D
push 1
push 2
push 3
call blablabla
jnz 0x13333337

and somewhere else in the exe:
call 0x0B4DF00D

now if we copy the function 0x0B4DF00D somewhere else, we can just modify the call
so we change the above call 0x0B4DF00D to call 0x0BADB33F(where our function lives)

[54321]

out of all things y do u want to change fov

[TeamRetox]

out of all things y do u want to change fov

Some people become nauseous by playing Call of Duty because it doesnt use FOV 90.
Its the same as some people become nauseous when driving for too long

[54321]

hmmmm so all this to stop feeling nauseous

so y does punkbuster stop it if its not giving you an advantage

[Genocide]

I want to increase the fov because I like to have it higher than 80, plus I want to see if I can do it.

Why PB stops this is irrelevant really, the fact it is does and I just want to see if I can create a work around.

[Sethioz]

I want to increase the fov because I like to have it higher than 80, plus I want to see if I can do it.

Why PB stops this is irrelevant really, the fact it is does and I just want to see if I can create a work around.

1. this is why i do most of my hacks, i want to see if i can.
2. indeed it is irrelevant, topic is about hacking fov by bypassing PB
3. about PB, im not 100% sure, but i think there was some tutorials which showed you how to disable/bypass PB totally.
like run a dummy PB or something. PB is one piece of shit, so i have never played any games that uses it, i mean i have, but not online.
i blacklisted PB with my zonealarm, so it is not allowed to run at all, hate that shit.


here's one crazy idea. as far as i know, PB is not local. it sends info back to some PB server and based on that it will either kick or ban. my tought is to fool PB somehow, so you actually close PB down, but make server think that you are still running it (actually i think this is the method that this bypass was based on).

[Genocide]

here's one crazy idea. as far as i know, PB is not local. it sends info back to some PB server and based on that it will either kick or ban. my tought is to fool PB somehow, so you actually close PB down, but make server think that you are still running it (actually i think this is the method that this bypass was based on).

I can understand the concept there of sending dummy packets but I honestly have no idea how I would do that at this time.

Again I understand what Retox was saying with the code cave example, I jump to another area where my modified code resides or I call my modified code instead of the original code its just finding where I need to implement this. In fact I have tried this with the piece of code which writes to the base address for fov and it worked.

The problem at the minute is my lack of knowledge, changing a simple decimal value in a memory scanner is easy enough but manipulating code in a disassembler is something else.

Edit: This is the write address
0056B586 |. 8977 0C MOV DWORD PTR DS:[EDI+C],ESI
but where do I go from here?

[Sethioz]

about the code cave and writing your own code, there are some very good examples in Tsearch's tutorial. it is included inside of tsearch. try reading that.
I am not interested in PB, so i can't give you exact examples, but if you write your own code, you can just put it into random place. in Tsearch just open the memory viewer/editor and look for empty place, this is where you can write it.
you don't even need olly for that, you can use Tsearch's easywrite interpreter. it is very easy to use.

i have done few things with easywrite, you should read this thread > Resident Evil 5 - hacks & stuff [PC]
use your brower's search and search for "easywrite". i have few examples there on how to use it, i wrote my own code in RE5, using easywrite. it might help you out on how to use it and jump to your own code.

[TeamRetox]

here's one crazy idea. as far as i know, PB is not local. it sends info back to some PB server and based on that it will either kick or ban. my tought is to fool PB somehow, so you actually close PB down, but make server think that you are still running it (actually i think this is the method that this bypass was based on).

I can understand the concept there of sending dummy packets but I honestly have no idea how I would do that at this time.

Again I understand what Retox was saying with the code cave example, I jump to another area where my modified code resides or I call my modified code instead of the original code its just finding where I need to implement this. In fact I have tried this with the piece of code which writes to the base address for fov and it worked.

The problem at the minute is my lack of knowledge, changing a simple decimal value in a memory scanner is easy enough but manipulating code in a disassembler is something else.

Edit: This is the write address
0056B586 |. 8977 0C MOV DWORD PTR DS:[EDI+C],ESI
but where do I go from here?

MOV DWORD PTR DS:[EDI+C],ESI
MOVe
DWORD pointer, ds is a register
EDI+C = Address of EDI+C, the [] around it means the value memory location pointed to by what is inside the []
ESI is a register

in this case, they move(copy) ESI into the address pointed to by EDI+C
put a breakpoint on it, run CoD4 and change the fov, see if the breakpoint triggers, and see what value ESI is.

I asume ESI is the fov, and [EDI+C] is either the D3D location that contains the fov, or part of a punkbuster scan.
if ESI is indeed the fov try replacing the command with MOV DWORD PTR:DS[EDI+C], 0x5A

[Genocide]

Thanks for your patience Retox I know it can be frustrating helping someone like myself at times.

Using ollydbg I set a breakpoint on
0056B586 |. 8977 0C MOV DWORD PTR DS:[EDI+C],ESI
yet when I changed fov via console it doesn't break?

I'm not sure if this helps but when setting a breakpoint on
0CBAF114 0000 ADD BYTE PTR DS:[EAX],AL

the value of ESI at break is , 42A00000

[TeamRetox]

See what happens if you NOP the mov DWORD PTR DS:[EDI+C], ESI
Try changing the fov, if it wont change its the correct line, if it does changes its another line that handles fov

[Genocide]

Yeah I did NOP that line and then when I change the fov via the console it doesn't change. However under the cg_fov command as well as stating the default value 65 it also then states latched value which is the value I tried to set but it no longer changes. I also redirected this line of code to another area for a little practice with codecaves, when doing so I was able to change fov fine then once again when I NOP the line in the code cave can no longer change and have latched value.

[SageR]

Could you use Proxocket on Punkbuster to record a long session of gaming, and when you're done playing, block Punkbuster and replay the data recorded by Proxocket with a packet sender to the Punkbuster server, and then muck about for as long as the long session of gaming lasted? Seems logical, but somehow unlikely. I know I'm missing some variables in there. Tell me what you think.

[Sethioz]

proxocket captures only the process, which means you have to first put proxocket into PB folder and then into game folder.
my idea would be fake packet. if pb says "busted" then using a filter in proxocket, it would say "clean"

but why you want to send the long game session ? anyways im not the right person to talk about PB, i never done any research on it. PB only fucks my pc up, cuz of my custom XP. it doesnt like it, everything conflicts and it crashes ..etc

[SageR]

Remember in the movie Speed they fool the bad guy by putting the footage on a loop? That's what I was thinking, only more of a one-shot deal. Still learning as I go. The filter approach seems like the best bet. Punkbuster, to the best of my knowledge, scans only apps that interact with its games, not PB itself. Whether it keeps an eye on itself remains to be seen.

I'm curious: what decent MMO games are there with no cheat protection that can be used as practise? These days it seems like everyone's got their backs up about cheating that there's no latitude for educational exploration. That sounds horribly off-topic, but my rationale is: practise first, spoof Punkbuster later.

[Sethioz]

those theorys about PB are interesting, but not in this topic.
if you wish to discuss how to bypass PB, make a new thread under pc hacking or game hacking, PB could be both.